package com.uniview.filter;

import java.io.IOException;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.apache.commons.lang3.StringUtils;

public class UnSessionFilter implements Filter {

	public static Map<String, HttpSession> sessionMap = new HashMap<String, HttpSession>();

	@Override
	public void destroy() {
		// TODO Auto-generated method stub
	}

	@Override
	public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
			throws IOException, ServletException {

		HttpServletRequest request = (HttpServletRequest) req;
		HttpServletResponse response = (HttpServletResponse) res;

		String[] paths = { "login", "doLogin", "outLogin", "admin/assets", "admin/css", "admin/images", "admin/js", "admin/layui",
				"login.jsp", "mobile", "sys/updateMenuView", "sys/addMenuView", "sys/roleSource", "sys/roleUserManagement", 
				"sys/roleUserRight", "sys/roleUserLeft", "static/export" };
		String urlPath = request.getServletPath();

		boolean flag = false;
		for (int i = 0; i < paths.length; i++) {
			if (urlPath.contains(paths[i])) {
				flag = true;
				break;
			}
		}
		//静态页面允许通过
		if(urlPath.endsWith(".html") || urlPath.endsWith(".jsp")) {
			flag = true;
		}

		if (!flag) {
			HttpSession curSession = request.getSession();
			String SID = curSession.getId();
			HttpSession session = sessionMap.get(SID);
			if (null != session) {
				if(urlPath.equals("/admin/index")) {
					// 登录首页　/admin/index 不需要校验token
					chain.doFilter(req, res);
				} else {
					// 判断是否伪造请求
					String referer = request.getHeader("Referer");
					String origin = request.getHeader("Origin");
					// 判断 Referer 是否以 bank.example 开头
					if (StringUtils.isBlank(referer) || !(referer.trim().startsWith(origin))) {
						response.setHeader("sessionstatus", "invalid");
						response.sendRedirect(request.getContextPath() + "/admin/login");
						return;
					}
					
					// 校验session中的token与参数中的token是否一致
					String token = request.getHeader("token");
					
					if (StringUtils.isNotBlank(token)) {
						String sessionToken = (String) session.getAttribute("token");
						token = new String(Base64.getDecoder().decode(token));
						sessionToken = new String(Base64.getDecoder().decode(sessionToken));
						if (token.equals(sessionToken)) {
							chain.doFilter(req, res);
						} else {
							response.setHeader("sessionstatus", "invalid");
							response.sendRedirect(request.getContextPath() + "/admin/login");
							return;
						}
					} else {
						response.setHeader("sessionstatus", "invalid");
						response.sendRedirect(request.getContextPath() + "/admin/login");
						return;
					}
				}
			} else {
				if (request.getHeader("x-requested-with") != null) {
					response.setHeader("sessionstatus", "invalid");
				} else {
					response.sendRedirect(request.getContextPath() + "/admin/login");
				}
				return;
			}
		} else {
			chain.doFilter(req, res);
		}
	}

	@Override
	public void init(FilterConfig arg0) throws ServletException {
		// TODO Auto-generated method stub
	}

}
